Description of problem: A stock install of RHEL5 and Fedora 8 (and possibly earlier versions) have /net managed by autofs (look at /etc/auto.master). Unfortunately, the "nosuid" mount option is not specified, meaning that any system auto-mounted under /net may have arbitrary suid root binaries. Version-Release number of selected component (if applicable): RHEL 5, Fedora 8, possibly others How reproducible: Always Steps to Reproduce: 1. set up an NFS server with an suid root binary in an exported directory. 2. log into a system running fedora 8/rhel5. Ensure autofs is running. 3. as a non-root user on the fedora8/rhel5 box, change directory to /net/hostname_of_nfs_server.tld/exported_path/ 4. run the suid root binary Actual results: The suid binary runs with the effective UID of 0, making it so the unprivileged user now has full access to the system. Expected results: the share should have been mounted with the nosuid option, so that the executable does no run with the effective uid of root. Additional info: changing (in /etc/auto.master): "/net -hosts" to: "/net -nosuid -hosts" Will prevent exploitation. I have also mailed this alert to secalert ( from jhlange ).
CVE-2007-5964, see bug #410031 for top level
*** Bug 421361 has been marked as a duplicate of this bug. ***
autofs-5.0.2-20 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.